Multiple issues have been found in nginx. The issues are fixed in nginx 1.15.6, 1.14.1. * CVE-2018-16843 CVE-2018-16844 http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. * CVE-2018-16845 http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. -- Gentoo Security Scout Vladimir Krstulja
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=931ea67612c9eb3f435cdf42b3401181e40e6bce commit 931ea67612c9eb3f435cdf42b3401181e40e6bce Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-11-06 16:03:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-06 16:04:06 +0000 www-servers/nginx: bump to v1.14.1 stable - nginScript module bumped to v0.2.5 - HTTP VHost Traffic Status module bumped to commit 46d85558e344dfe - brotli module bumped to commit 8104036af9cff Bug: https://bugs.gentoo.org/670496 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-servers/nginx/Manifest | 1 + www-servers/nginx/nginx-1.14.1.ebuild | 1081 +++++++++++++++++++++++++++++++++ 2 files changed, 1082 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=395959f0a2392993b260566a518de96f16d66daf commit 395959f0a2392993b260566a518de96f16d66daf Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-11-06 15:58:12 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-11-06 16:04:04 +0000 www-servers/nginx: bump to v1.15.6 mainline - nginScript module bumped to v0.2.5 - brotli module bumped to commit 8104036af9cff Bug: https://bugs.gentoo.org/670496 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-servers/nginx/Manifest | 3 + .../nginx/files/http_brotli-detect-brotli-r2.patch | 30 + www-servers/nginx/nginx-1.15.6.ebuild | 1081 ++++++++++++++++++++ 3 files changed, 1114 insertions(+)
Note that comment #0 is a copy from upstream advisories. Gentoo has set USE=+http2 by default for example. @ Arches, please test and mark stable: =www-servers/nginx-1.14.1
amd64 stable
x86 stable
GLSA Vote: No! Repository is clean, all done.
